Provision base infrastructure

a) Create a backend.<env>.tfvars file for appropriate environment (test, dev, staging, prod)

From the root of the repository (~/veriscope), navigate to the following folder and create the appropriate backend.<env>.tfvars file with the values noted in the previous step.

cd infra/terraform
Sample backend.dev.tfvars file
bucket         = "dev-app-us-east-1-terraform"
region         = "us-east-1"
dynamodb_table = "dev-app-us-east-1-terraform-locks"
encrypt        = true

b) Create a .tfvars file for each environment (test, dev, staging, prod)

From the root of the repository (~/veriscope), navigate to the following folder:

cd infra/terraform/common
Sample dev.tfvars file
tags = {
  DeployedBy  = "Veriscope Automated Deployment"
  Environment = "Dev"
  Component   = "Common"
  Name        = "Veriscope Dev"
}
vpc_cidr               = "000.000.0.0/00"
region                 = "us-east-1"
env                    = "dev"
private_network_domain = "domain.com"

c) Initialise Terraform

Run the following command for each environment, replacing <env> with the environment in question: test, dev, staging, or prod.

terraform init -backend-config="./../backend.<env>.tfvars" -backend-config="key=common.tfstate"

For example, for prod:

terraform init -backend-config="./../backend.prod.tfvars" -backend-config="key=common.tfstate"
Sample output
...
...
...
Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work.

If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.

d) Validate your Terraform module

Run the following command:

terraform validate

You should see:

Success! The configuration is valid.

e) Set environment variables

If you don’t know your organizations AWS account number or IAM role name, contact your infrastructure administrator before proceeding.

Run the following commands:

export AWS_PROFILE=default (or whatever you use in your environment)
export AWS_REGION=(whatever aws region you are using e.g. us-east-1)
export TF_VAR_aws_account_number=<your-aws-account-number>
export TF_VAR_role_name=<iam-role-name-to-assume>
export TF_VAR_cloudflare_creds='{ api_token = "kjsdhfksjhfskdjfhksjdhf", account_id = "lkjdshflksjhdfjhkjhslkjdf" }'
  • TF_VAR_role_name is from CloudFormation output in previous step

  • TF_VAR_cloudflare_creds are not used but are needed due to minor bug in our Terraform module (which will be resolved soon).

f) Run Terraform plan

Run the following command:

terraform plan -var-file <env>.tfvars -out=<env>.tfplan

For example,

terraform plan -var-file dev.tfvars -out=dev.tfplan
Sample output
...
...
...
Saved the plan to: dev.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "dev.tfplan"

g) Run Terraform apply

Review the plan and ensure terraform says it will create the appropriate infrastructure. If all looks good, run the apply command:

terraform apply "<env>.tfplan"

For example,

terraform apply "dev.tfplan"
Sample output
...
...
...
Apply complete! Resources: 13 added, 0 changed, 0 destroyed.

Outputs:

...
...
...
If you encounter an error at this point (during the apply operation), you will need to run terraform plan followed by terraform apply again after the error/issue has been resolved.

The above step could take a few minutes. So, time for your favourite drink! At the end of the apply run, outputs will be printed. Some of them might be hidden due to being sensitive.

If you encounter an error at this point (during the apply operation), you will need to run terraform plan followed by terraform apply again after the error/issue has been resolved.

You can run the following command to see the hidden outputs:

terraform output -json

Included in the outputs are FQDN, public and private IP addresses of the node created, SSH key secret name, TA DB password secret name etc.

Sometimes an error might occur acquiring state lock like below. This could be for various reasons, including forcibly exiting a previous plan/apply/destroy actions.

Sample error
terraform plan -var-file art-cmyk.tfvars -out=art-cmyk.tfplan
Acquiring state lock. This may take a few moments...
╷
│ Error: Error acquiring the state lock
│
│ Error message: ConditionalCheckFailedException: The conditional request failed
│ Lock Info:
│   ID:        fa50f66d-489c-3782-7f2f-4571db2ed92d
│   Path:      dev-veriscope-us-east-1-terraform/instances.tfstate
│   Operation: OperationTypeApply
│   Who:       ravit@KRSNA-x360
│   Version:   1.3.3
│   Created:   2022-12-13 12:11:21.526195545 +0000 UTC
│   Info:
│
│
│ Terraform acquires a state lock to protect the state from being written
│ by multiple users at the same time. Please resolve the issue above and try
│ again. For most commands, you can disable locking with the "-lock=false"
│ flag, but this is not recommended.

To unlock, run the following command:

terraform force-unlock -force fa50f66d-489c-3782-7f2f-4571db2ed92d

Sample output:

Terraform state has been successfully unlocked!

The state has been unlocked, and Terraform commands should now be able to obtain a new lock on the remote state.

h) Upload Terraform output to S3 Bucket noted above

terraform output -json | tee <env>/common_infra.json
aws s3 cp ./<env>/common_infra.json s3://<s3-bucket-name>/data/common_infra.json --sse AES256